SafeChat Business Terms
Subject to your compliance with these Terms of Use, you may access and use the Services. In using the Services you must comply with all applicable laws as well as any Usage Policy and other documentation, guidelines, or policies we make available to you.
1. Definitions
1.1. “Account Administrator” shall mean Customer’s nominated account administrator who has the authority to invite End Users to the Customer’s Business Account
1.2. “Business Account” shall mean the Customer’s account covered by this Agreement.
1.3. “End User” shall mean a natural or legal person who is a registered user of the Services, either as an existing End User who you wish to add to your Business Account, or as a new End User who will register and use the Services as a result of a Customer invitation.
1.4. “Licence Fees” shall mean the fees together with any payment terms and conditions set out in Schedule A to this Agreement.
1.5. “Personal Data” shall mean any information relating to an identified or identifiable natural person as set out in Article 4 of the GDPR
1.6. “User Content” shall mean any chat messages, prompts, or uploaded documents (collectively “Inputs”) you submit to the Services together with any outputs the Services provide in direct response to your inputs (the “Outputs”).
2. Your Use of the Services
Subject to the terms and conditions of this Agreement, Curvestone grants Customer a finite, non-exclusive, non-transferable, non-sublicensable and non-assignable licence to access and use the Services, and to make the Services available to Customer’s invited End Users.
In using the Services Customer acknowledges and agrees that:
2.1. Customer is responsible for providing accurate account information.
2.2. Customer is responsible for all activities that take place under your Business Account, including the actions of the Account Administrator together with any End User that you add to your Business Account.
2.3. Customer is responsible for all User Content and warrants that it has all rights and permissions to use its Inputs with the Service.
2.4. Customer may only invite your employees or equivalent contract staff, directors, and officers to join your Business Account as End Users.
2.5. Customer will acquire no other licences or rights in or to the Services, and no such licences or rights shall be implied.
2.6. Customer will not and will not permit its End Users to use the Services in a way that (i) is in breach of applicable laws or the Terms of Use, or (ii) infringes any third party’s rights.
3. Payment
Customer agrees to pay the Licence Fees set out in Schedule A or as stated in an applicable Curvestone SafeChat order form. Customer authorises Curvestone and its third-party payment processor to charge the payment method registered on Customer’s account on the agreed-upon basis. All amounts shall be invoiced and paid in Pound Sterling (£GBP) exclusive of taxes which will be charged as required to comply with applicable law. All amounts are due upon invoice issuance unless otherwise agreed in the applicable Curvestone SafeChat order form. Failure to pay any undisputed invoice amount may result in late payment fees and/or suspension of the Service.
4. Restrictions on Use
a) Customer shall not, nor shall it permit any other person to, (i) reproduce, copy, alter, modify, deface, disclose or change the Services, or (ii) decompile, reverse engineer or otherwise gain access to the source code for any Service, or (iii) include the Services in any of its products or developer tools.
b) Customer shall not delete, remove, or obscure any copyright or proprietary notices of Curvestone included in the Services.
c) Customer shall not, nor shall it permit any of its End Users, to breach any restrictions set out in this Agreement or the associated Terms of Use.
d) Title to the Services, including all copies, translations, compilations, and derivative works remains with Curvestone and/or its licensors, and Customer shall not obtain any proprietary rights to the Services.
e) The features and functionality of the Services are subject to enhancement, change, or deprecation at any time and at the sole discretion of Curvestone. Curvestone shall provide reasonable advance notice of any such change. This obligation to provide advance notification shall not apply to emergency maintenance or security updates that may be required in order to ensure the necessary availability and security of the Services.
f) Notwithstanding the generality of the foregoing, the Services may include third party software and/or services. For the avoidance of doubt, any Licence granted to Customer to use the Services shall include the right to use such third-party services subject to the terms & conditions of the relevant provider.
5. Confidentiality
“Confidential Information” means any business, technical or financial information, materials, or other subject matter disclosed by one party (the “Discloser”) to the other party (the “Recipient”) that is identified as confidential at the time of disclosure or should be reasonably understood by Recipient to be confidential under the circumstances. For the avoidance of doubt, Confidential Information includes User Content.
Confidential Information shall not include information which (i) was in the public domain at the time it was received by the Recipient; (ii) is or becomes generally known to the public through lawful disclosure by a source, other than the Recipient; (iii) was demonstrably known to Recipient before the information was received from Discloser; (iv) is disclosed to the Recipient, without restriction, by a third party having the lawful right to disclose the information; or (v) is independently developed by the Recipient without use of or any reference to the Confidential Information.
a) Each party may be given access to the Confidential Information of the other party in the course of this Agreement. The Recipient shall treat and protect Confidential Information in the same manner they would for their own trade secrets and shall not disclose such Confidential Information to any third party without prior written permission of the Discloser.
b) The Recipient may disclose the Confidential Information to its employees, officers, and directors on a “need to know” basis only. In the event of such permitted disclosure the Recipient shall be responsible for ensuring that all employees, officers, and directors who may receive such Confidential Information are advised of its confidential and proprietary nature and treat the Confidential Information in the same manner as they would treat their own Confidential Information.
c) The Recipient may disclose Confidential Information if required by law, provided the Recipient gives prior written notice to the Discloser, and provided that such disclosure is made only to the extent required by law.
d) All Confidential Information shall be returned or destroyed on termination of this Agreement save where it is necessary to keep it for regulatory reasons in secure archives.
6. Personal Data
Curvestone collects and processes Personal Data in accordance with the Terms of Use.
If Customer uses the Services to process Personal Data:
a) Customer shall be the Data Controller for this Customer’s Personal Data and Curvestone, using the Services, shall process this Personal Data as a Data Processor.
b) Customer shall provide legally adequate privacy notices and obtain all necessary consents for the processing of Personal Data by the Services
c) Customer shall collect and process Personal Data in accordance with applicable law, and
d) Agrees to the terms of the Data Processing Agreement set out in Schedule B.
7. Intellectual Property Rights
a) Curvestone and/or its licensors own and shall continue to own all right, title and interest to the Intellectual Property Rights in and to the Services.
b) Curvestone shall have and retain all existing and future Intellectual Property Rights in the results of general development work it undertakes to the Services including but not limited to modifications, enhancements, and customisations howsoever arising.
c) All right, title, and interest in and to the Customer User Content or other proprietary data shall be owned by the Customer.
d) Neither Curvestone nor Customer shall have a right to use the other party’s trade names, trademarks, service marks, logos, domain names, or other distinctive brand features.
8. Term and Termination
a) This Agreement shall commence when you create a Business Account or convert your existing user account to a Business Account and shall remain in effect until terminated in accordance with this clause 8. If you purchase a subscription the subscription term will automatically renew for successive terms unless either party gives thirty (30) days’ notice before the start of the next term. If you purchase time-limited access the term will automatically expire at the end of the agreed term unless you give us thirty (30) days’ notice before the end of the current term.
b) Either party may terminate this Agreement immediately by providing written notice to the other party if the other party commits any material breach of any of the provisions of this Agreement and, in the case of a breach capable of remedy, fails to remedy the breach within thirty (30) days after receiving written notice thereof.
c) Either party may terminate this Agreement if the other party becomes insolvent, ceases business operations, or is the subject to insolvency proceedings.
d) Customer may terminate this Agreement immediately by providing written notice to Curvestone if the Services are unavailable for a continuous period exceeding forty-eight (48) hours and Curvestone fails to remedy the issue within five (5) Business Days. In this case Curvestone shall refund Customer the relevant portion of the Licence Fee paid but unused by Customer for the Services (calculated on a pro rata basis from the point at which Customer first notified Curvestone that the Services were unavailable).
e) Curvestone may suspend or terminate this Agreement immediately if Customer or any End User breaches any of the restrictions set out in this Agreement or the Terms of Use.
f) The expiration or termination of this Agreement shall not affect or prejudice any provisions of this Agreement which are expressly or by implication provided to continue in effect after such termination, including without limitation those provisions relating to Confidential Information and Intellectual Property Rights.
g) For the avoidance of doubt, suspension, termination, or expiration of this Agreement shall not release Customer from its obligations to pay Curvestone any fees accrued prior to such suspension, termination or expiration or which shall accrue after the effective date of such suspension, termination or expiration as result of Customer’s use of the Services.
h) At the expiration or termination of this Agreement, Customer shall no longer have access to the Services and Curvestone shall permanently delete any User Content.
9. Warranties
Curvestone warrants to Customer that:
a) It has and will maintain the necessary licences, consents, and permissions necessary for the performance of its obligations under this Agreement, provided at all times that Customer does not take any action or inaction that leads to such necessary licences, consents, and permissions being revoked.
b) It has sufficient security measures in place to protect against the unauthorised disclosure of Customer Confidential Information and User Content.
c) It will use reasonable efforts to ensure that the Services are available for use by Customer outside of scheduled maintenance periods.
Except for the foregoing, the Services are provided “AS IS”. In no event does Curvestone warrant that the Services are error free or that Customer will be able to operate the Services without problems or interruptions.
THESE WARRANTIES AND ANY CUSTOMER REMEDIES WITH RESPECT THERETO, AS SET FORTH HEREIN, ARE EXCLUSIVE AND EXPRESSLY IN LIEU OF ALL OTHER WARRANTIES, LIABILITIES, REMEDIES, EXPRESS OR IMPLIED, INCLUDING ANY OBLIGATION, LIABILITY, RIGHT, CLAIM, OR REMEDY IN TORT, WHETHER OR NOT ARISING FROM NEGLIGENCE OF CURVESTONE OR ITS AFFILIATES, ACTUAL OR IMPUTED, AND NO WARRANTIES, EXPRESS OR IMPLIED REPRESENTATIONS, PROMISES OR STATEMENTS HAVE BEEN MADE BY CURVESTONE OR ITS AFFILIATES UNLESS CONTAINED IN THIS AGREEMENT. NO WARRANTY, EXPRESS OR IMPLIED, IS MADE HEREIN THAT THE SERVICES OR ANY PARTS THEREOF ARE MERCHANTABLE, OR FIT OR SUITABLE FOR THE PARTICULAR PURPOSES INTENDED BY CUSTOMER.
10. Indemnification
a) Customer shall indemnify, defend and hold harmless Curvestone, and its directors, officers, employees and agents, at its own expense against any liabilities, claims, actions, damages, costs and expenses (including but not limited to legal fees and costs) incurred by Curvestone to the extent based on a third party claim related to or arising from Customer User Content or Customer’s use of the Services, provided that Curvestone gives Customer (a) prompt written notice of such suit, (b) full control over the defence or settlement thereof, (c) all reasonable information and assistance at Customer’s expense excluding time spent by employees or consultants of Curvestone, to handle the defence and settlement thereof, and (d) does not enter into any settlement of any suit, claim or proceeding without Customer’s prior written consent.
b) Curvestone shall indemnify, defend and hold harmless Customer, and its directors, officers, employees and agents, at its own expense against any liabilities, claims, actions, damages, costs and expenses (including but not limited to legal fees and costs) incurred by Customer to the extent based on a third party claim against Customer that use of the Services infringes any Intellectual Property Rights, provided that Customer gives Curvestone (a) prompt written notice of such suit, (b) full control over the defence or settlement thereof, (c) all reasonable information and assistance, at Curvestone’s expense excluding time spent by employees or consultants of the Customer, to handle the defence and settlement thereof, and (d) does not enter into any settlement of any suit, claim or proceeding without Curvestone’s prior written consent.
c) The foregoing indemnification does not extend to, and neither Curvestone nor its directors, officers, employees and agents shall have any liability for: (a) any claim arising out of a modification by Customer of the Services which is not approved by Curvestone, (b) to any claim arising as a result of Customer’s breach of the terms of this Agreement, (c) any third party equipment or software furnished hereunder, and (d) the misuse or unauthorised use of the Services or use of the Services for any purpose other than that for which they are intended.
d) Should use of the Services provided by Curvestone become, or in Curvestone’s opinion be likely to become, the subject of a claim of infringement, Curvestone may, at its option, either: (a) procure for Customer the right to continue using the Services, or (b) modify the Services to make them non-infringing, or (c) substitute with an equivalent, non-infringing unit of Service, or (d) terminate this Agreement and refund Customer the relevant portion of the Licence Fee(s) paid but unused by Customer for such Services (calculated on a pro rata basis).
11. Limitation of Liability
IN NO EVENT SHALL CURVESTONE BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOSS OF PROFITS, USE, DATA, OR OTHER ECONOMIC ADVANTAGE) ARISING OUT OF OR IN CONNECTION WITH YOUR USE OF THE SERVICES. OUR AGGREGATE LIABILITY UNDER THESE TERMS WILL NOT EXCEED THE GREATER OF THE AMOUNT YOU PAID FOR THE SERVICES THAT GAVE RISE TO THE CLAIM DURING THE 12 MONTHS BEFORE THE LIABILITY AROSE.
The limitations of liability set forth in this Limitation of Liability shall not apply, however, in case of willful misconduct or gross negligence and nothing in this clause will serve to limit or exclude either parties’ liability for death or personal injury arising from that party’s own negligence.
12. Assignment
a) Customer shall not assign this Agreement without the express prior written consent of Curvestone.
b) Curvestone shall be entitled to assign this Agreement to an affiliated company by providing written notice to Customer.
c) Any assignee of this Agreement shall be subject to all of its terms, conditions and provisions. No assignment, delegation, transfer or any attempt thereof in violation of the foregoing shall be effective without prior written consent of the other party.
13. Changes to this Agreement
Curvestone may update these Business Terms or the associated Usage Policies and Terms of Use for End Users by providing Customer with reasonable notice. If, in Curvestone’s sole judgment, an update to these Business Terms significantly impacts your rights or obligations, Curvestone will provide at least 30 days’ notice before the update goes into effect, unless the update is necessary for us to comply with applicable law, in which case we will provide you with as much notice as reasonably possible. Your continued use of, or access to, the Services after an update goes into effect will be deemed acceptance of the updated Business Terms. If you do not agree with an update, you may stop using the Services or terminate this Agreement in accordance with the terms set out under Term and Termination.
14. Legal Compliance
Curvestone and Customer shall perform their obligations under this Agreement in accordance with all applicable laws, rules, and regulations and shall comply with all applicable requirements of the Data Protection Legislation. Notwithstanding anything to the contrary, Curvestone reserves the right to modify or withdraw from this Agreement without prior notice at its sole discretion without any penalty or liability if it reasonably expects that the contemplated transaction would violate any legal compliance obligation.
15. Governing Law
This Agreement shall be governed by and construed in accordance with the substantive laws of England without reference to or application of any conflict of laws principles. Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination, or invalidity thereof, shall be settled exclusively by a court of general jurisdiction in England.
16. General Provisions
a) If any term or provision of this Agreement is found to be illegal or unenforceable, the remainder of this Agreement shall remain in full force.
b) This Agreement represents the entire agreement between the parties for the Services, and supersedes all prior and contemporaneous, written, and oral representations, agreements and negotiations. In entering into this Agreement each party acknowledges it does not rely on, and shall have no remedies in respect of, any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement.
c) This Agreement shall be binding upon and inure to the benefit of the parties and their respective successors and permitted assigns.
d) Except as expressly set forth herein, no amendment to this Agreement shall be effective unless it is in writing, dated subsequent hereto, refers explicitly to this Agreement and is signed on behalf of the parties by their duly authorised representatives.
e) No waiver of any provision of this Agreement shall be effective unless in writing signed on behalf of the party against whom the waiver is asserted. No waiver shall be implied from a party’s conduct or failure to enforce its rights under this Agreement.
f) Any notice to be served under this Agreement may be delivered by hand or sent by pre-paid first-class post or email and shall be deemed to be delivered at the time of delivery by hand, two days after posting or at the date and time of transmission if sent by email.
Business Terms – Schedule A
Business Account Fees and Payment Terms
A.1 Services Licence Fees
Customer shall be granted a licence as set out in this Agreement for the following fees:
Description: SafeChat Licence per Active End User
Monthly Price: as displayed at the point of purchase.
a) An “Active End User” is the Account Administrator and each End User account added to the Customer’s Business
Account. The End User account will be considered as added to the Business Account once the End User accepts an
invitation from the Account Administrator, or when Curvestone adds the End User at the request of the Account
Administrator.
b) The monthly fee for each Active End User shall be due for each month or part thereof during which the Active End
User is part of the Business Account. The monthly fee for each Active End User will end when the Account
Administrator removes the respective Active End User from the Business Account.
A.2. Token Fees
a) Where the Services are configured to utilise tokens from OpenAI, Azure OpenAI, or any other Large Language Models (LLMs) that charge on a per-token consumption basis, WorkflowGPT will purchase tokens on behalf of the Customer. The Customer shall be responsible for the payment of all associated token and AI API service fees ("Token Fees") at the rates set by the respective providers from time to time, plus a service charge of 10%.
b) The Customer shall be liable for all Token Fees incurred by the Customer’s Active End Users that exceed the fair usage limit as governed by the Terms of Use.
c) If the fair usage limit or the fair usage policy is not specified within the Terms of Use, a default fair usage limit of £1 per active user shall apply.
d) Token Fees that exceed the fair usage limit will be invoiced monthly or at such other intervals as WorkflowGPT may reasonably demand based on the Customer’s excess token usage.
Business Terms – Schedule B
Data Processing Agreement
This Data Processing Agreement (this “DPA”), together with any other exhibits, annexes or documents incorporated into the DPA by reference, is made by and between Curvestone and Customer and forms part of the Agreement between the parties.
1. Introduction, Scope, and Definitions
1.1. Introduction
This DPA sets forth the rights and obligations of the parties in the context of processing Personal Data on behalf of the Customer. This DPA is incorporated by reference into the Agreement between the parties for the supply and use of the Services provided by Curvestone to Customer.
1.2. Scope
The parties acknowledge that the Customer for whom Curvestone Processes Personal Data in accordance with the Agreement is and will remain the data controller and Curvestone is a data processor for the purposes of Data Processing Law (“DP Law”) in connection with this DPA. This DPA applies to all activities in which Curvestone, or any sub-processor commissioned by Curvestone, processes Personal Data of the Customer on its behalf.
1.3. Definitions
Terms used but not defined in this DPA shall be understood in terms of their definition in the Agreement and in applicable DP Law. In the event of any conflict or inconsistency between the terms set out in this DPA and Agreement (or other applicable agreements in connection with the Services), the terms in this DPA shall prevail.
“DP Law” means UK Data Protection Laws, EU/EEA Data Protection Laws, and any applicable laws, regulations, and other legal requirements relating to (a) privacy and data security; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.
“Microsoft Standard Contractual Clauses” means the standard data protection clauses between Microsoft Ireland Operations Limited and Microsoft Corporation for the transfer of Personal Data from processors in the EEA to processors established in countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR and approved by the European Commission in decision 2021/914/EC, dated 4 June 2021.
“Restricted Transfer” means export of data from the UK or EU/EEA which is covered by Chapter V of the UK Data Protection Laws, EU/EEA Data Protection Laws.
2. Type of Data, Nature and Duration of Processing
2.1. Type of data
Curvestone shall collect and process the names and email addresses of the Customer’s End Users on instruction of the Customer and for the purposes of providing access to the Services. Curvestone may also collect and process other Personal Data where this Personal Data forms part of User Content uploaded to the Services by the Customer. The types of Personal Data that Customer elects to include in User Content may be any categories of Personal Data identified in records maintained by Customer acting as controller pursuant to Article 30 of the GDPR.
2.2. Nature of Processing
Curvestone shall use and process User Content (including any Personal Data contained therein) only: (a) to provide Customer with the Services in accordance with the relevant Agreement, (b) for Curvestone’s business administration purposes required to manage the relationship between the parties, (c) to troubleshoot, maintain, and provide support on the Services to the Customer and its End Users, and (d) to keep the software performant.
For the avoidance of doubt Curvestone shall not use or process User Content for marketing & advertising purposes and Customer retains all right, title and interest in User Content.
2.3. Duration of Processing
The processing begins on the commencement date of the Agreement and continues for the term of the Agreement, together with any reasonable time period required for the erasure or destruction of User Content following termination.
3. Obligations of Curvestone
3.1. Curvestone shall process Personal Data only as contractually agreed or as instructed by the Customer, unless Curvestone is obliged by law to carry out specific processing. If such obligations exist for Curvestone, it shall notify the Customer prior to processing, unless such notification is prohibited by law. Furthermore, Curvestone shall not use the data provided for processing for any other purpose, in particular not for its own purposes.
3.2. Curvestone confirms that it is aware of the legal provisions of the applicable data protection laws and observes the principles of correct data processing.
3.3. Curvestone undertakes that it, together with any of its agents, officers, employees, and sub-processors who may gain access to the data, shall (i) process User Content only on instructions from Customer or as described in this DPA, (ii) maintain confidentiality during processing and after the termination of any contractual relationship, and (iii) provide periodic and mandatory data privacy and security training to its employees in accordance with Curvestone’s Information Security Policy.
3.4. Curvestone warrants that the persons employed by it for processing have been made familiar with the relevant provisions of data protection and this DPA prior to commencement of processing.
3.5. If the Customer is subject to inspection by supervisory authorities or other bodies, or if data subjects assert rights against it, Curvestone undertakes to support the Customer to the extent necessary insofar as the processing is concerned.
3.6. Curvestone shall notify Customer promptly of (i) any correspondence it may receive from any Regulator relating to User Content or (ii) any complaint from an individual about the processing of User Content in connection with the Services. Curvestone shall cooperate with Customer with the purpose of enabling Customer to respond to the correspondence or complaint.
3.7. The processing generally takes place within the EU/EEA. Any Restricted Transfer may take place only with the express consent of the Customer and is subject to the conditions in Chapter V of the GDPR and must be in compliance with the provisions of this Agreement. For the avoidance of doubt by executing this DPA the Customer grants consent for the specific transfers set out in clause 7.
3.8. Curvestone shall, unless legally not required by DP Law, appoint a competent and reliable person as Data Protection Officer (DPO). Curvestone shall inform the Customer upon execution of this DPA of the contact details of the DPO or give a reason why no DPO has been appointed. Curvestone shall inform the Customer immediately of any changes in the identity of the DPO during the term of the Agreement.
4. Rights and Obligations of Customer
4.1. Customer is solely responsible for assessing the permissibility of the processing and the safeguarding of the rights of data subjects, and warrants to Curvestone that its instructions to process data under this DPA are lawful.
4.2. Curvestone processes data on the instructions of the Customer. The Customer agrees that the Agreement (including this DPA and any applicable updates), along with the Customer’s use and configuration of features in the Services, are Customer’s complete documented instructions to Curvestone for the processing of Personal Data.
4.3. Customer shall be entitled to monitor compliance with data protection provisions and the contractual agreements at Curvestone to a reasonable extent itself or through third parties, in particular by obtaining information and inspecting the on-site controls. The persons entrusted with the inspection shall be given access and insight by Curvestone to the extent necessary for the performance of an inspection. Curvestone shall be entitled to refuse inspections by third parties insofar as they are in competition with it or for similarly important reasons.
4.4. Inspections at Curvestone's premises must be carried out without undue disruption to its business operations. Unless otherwise indicated for urgent reasons, which are to be documented by the Customer, inspections shall be carried out after reasonable advance notice, during Business Hours, and no more frequently than every 12 months.
5. Security of Processing
5.1. Curvestone shall implement and maintain technical and organisational measures to avoid unauthorised or unlawful processing of Personal Data and against loss or destruction of or damage to User Content as outlined in DP Law and in accordance with the requirements set forth in ISO 27001.
5.2. Curvestone shall ensure that all User Content shall be encrypted by default when transferred over public networks or between data centres, and when at rest.
5.3. Curvestone shall employ least privilege access mechanisms to control access to User Content.
5.4. Curvestone shall ensure that all sub-processors implement and maintain comparable technical and organisational measures at least as robust as those in use by Curvestone for its compliance with the requirements of this clause 5.
6. Subcontracting Relationships
6.1. The use of sub-processors is permitted provided that any sub-processor is contractually bound to comply with data protection obligations comparable to those agreed in this DPA. Upon request, Curvestone shall provide access to the relevant portions of its contract with the sub-processor together with any information reasonably required to demonstrate compliance with clause 6.1.
6.2. The Services provided under the Agreement make use of underlying technology provided by Microsoft’s Azure cloud infrastructure and cognitive services. The execution of this DPA constitutes Customer’s prior written consent to the engagement of Microsoft Ireland Operations Ltd and Microsoft Corporation as authorised sub-processors subject to the restrictions set out in clause 7.
6.3. The engagement and use of sub-processors who carry out commissioned processing in territories other than the territory of the UK or EU/EEA shall only be permissible (i) if the sub-processor has appointed a responsible representative in the EU in terms of Art. 27 of the GDPR, and (ii) as far and as long as the sub-processor offers appropriate data protection safeguards.
7. Processing Location and Data Transfers
7.1. The processing of data by Curvestone or its authorised sub-processors shall take place in the UK or EU/EEA.
7.2. Curvestone shall inform Customer of any change in circumstances and in particular of any plans to use resources located in the USA, or in any other location that may result in a Restricted Transfer.
7.3. Customer shall be responsible for choosing whether to permit Curvestone make use of such resources and Customer shall bear sole responsibility for informing its End Users of the risk and ensuring that End Users follow Customer’s own data handling policies.
7.4. Where any Restricted Transfer takes place, Curvestone:
7.4.1. agrees that DP Law applies to its processing of the transferred data, including the transfer of the data to the relevant sub-processor;
7.4.2. shall ensure that the transfer and processing is governed by its existing binding contractual agreements with both Microsoft Ireland Operations Ltd and Microsoft Corporation;
7.4.3. shall ensure that these transfers and any associated processing shall be governed by the Microsoft Standard Contractual Clauses. In addition, transfers from the United Kingdom shall be governed by the IDTA implemented by Microsoft. For purposes of this DPA, the “IDTA” means the International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers issued by the UK Information Commissioner’s Office under S119A(1) of the UK Data Protection Act 2018.
7.5. Customer may revoke this permission at any time by providing written instructions to Curvestone.
7.6. At all times during the term of Agreement Customer will have the ability to access, extract and delete User Content stored in the Services.
8. Notification Duties
8.1. Curvestone shall immediately notify Customer of any actual or suspected breaches of the protection of Personal Data processed on behalf of the Customer. This notification must be sent within 24 hours of Curvestone becoming aware of the relevant event and sent to an address specified by the Customer. It shall contain at least the following information:
8.1.1. a description of the nature of the breach of the protection of Personal Data, indicating where possible the categories and approximate number of data subjects, the categories concerned and the approximate number of Personal Data sets concerned;
8.1.2. the name and contact details of the Data Protection Officer or any other contact point for further information;
8.1.3. a description of the likely consequences of the breach of the protection of Personal Data;
8.1.4. a description of the measures taken or proposed by Curvestone to remedy the breach and, where appropriate, measures to mitigate its possible adverse effects.
8.2. Curvestone shall immediately inform the Customer of any controls or measures taken by regulatory authorities or other third parties and shall assist the Customer in its obligations under Articles 33 and 34 of the GDPR to the extent required.
8.3. Curvestone’s notification of any actual or suspected breaches is not an acknowledgement by Curvestone of any fault or liability with respect to the notified event.
9. Termination
9.1. This DPA shall terminate automatically upon termination of the associated Agreement.
9.2. Upon termination of this DPA and the associated Agreement, all data processed in the terms of this DPA (including any copies thereof) which are still held on the Services at the end of the contractual relationship shall either be destroyed or returned to Customer at Customer's option. Customer must inform Curvestone of its choice within two weeks of being requested to do so by Curvestone.
9.3. Curvestone shall provide written confirmation of proper destruction or return without delay.
9.4. Curvestone shall have the right to retain documentation which serves as confirmation of proper processing of data for a period of three years from the date of termination.
10. Miscellaneous
10.1. Any Fees related to the performance of the parties duties under this DPA are conclusively regulated in the Agreement.
10.2. Should individual parts of this DPA be invalid, this shall not affect the validity of the remaining parts of the DPA.
10.3. If a party is required to notify the other party to this DPA it will be marked for the attention of the DPO or other relevant key contact and sent by e-mail to the e-mail address given for the key contact.
10.4. If one party has made any oral or written statements to the other before entering into this DPA (which are not written in this DPA) the other party confirms that it has not relied on those statements and that it will not have a legal remedy if those statements are untrue or incorrect, unless the statement was made fraudulently.
10.5. The applicable laws and jurisdiction are as set out in DP Law and in the Agreement.
These Business Terms are an agreement between Curved Stone Ltd, a company registered in England at 55a Fermoy Road, London, W9 3NJ (“Curvestone”) and you (“Customer”) for your use of Curvestone’s SafeChat software (the “Services”). You agree to be bound by these Business Terms along with the Usage Policies, the Terms of Use, and any order form provided to you by Curvestone (together, the “Agreement”).
